Dns Server

DNS server domain resolver of your website Name. It is a name resolution service. DNS server resolves domain address(www.example.com) into IP address which is called forward lookup in technical term and it is also used to resolve the IP address to the domain name which is called reverse lookup.

• the lookup mechanism used to map an IP address to the domain name and vice-versa. the resolver DNS server is over the world they are in a distributed manner to reduce the load on a specific server. these servers dynamically modify and update their records as a new domain registered every second.

• Now the question arises that we need the DNS server because domain names are easier to remember instead of IP addresses.  

Parts of DNS

1. Namespace: Database contains all the information- delegations, zones,  domains.
2. Servers: Makes the namespace available for clients-serves
3. Resolver: Will query the servers about a particular namespace and find out the particular information of that namespace.

Types

1.Authoritative Servers (Responsible to give reliable answers for certain zones

     Master(Primary)

     Slave(Secondary)

2. Caching/Recursive Server

The cache text file contains names and addresses of root DNS servers that are needed to resolve names outside of the authoritative DNS domains. Root DNS Server is a group of a number of servers that are authoritative to resolve queries at the root level.

In Windows Server: /Windows/System32/Dns/cache.dns

In Centos: /etc/bind/db.root

DNS Working

when the user opens up the browser and type any website name and search for it than before opening the website DNS server comes into play because the internet works on IP address, not on a domain name, therefore, it became necessary for some to map this domain name into IP address. For this, the user query first passes to its local DNS first about the website IP address. The first process is that web browser searches for IP address inside its local cache file as I mentioned above if the cache file can't find IP address then it asks the local DNS server for IP.

Let's understand in brief

1. Client: searches securitythread.blogspot.com

2. Local DNS searches inside the DNS cache file for IP Address if found return to the browser if not then query passes to the local DNS server for further steps

3. Local DNS asks to roots server for IP but root server only contains top-level Domain like .com,.org,.net hence it only gives IP address of .com server in our case.

4. Then local DNS ask to .com server for the IP address of securitythread.blogspot.com but .com server only able to give the nearer public DNS server IP address like we use 8.8.8.8 for google.com

5. Public DNS server gives the IP address of securitythread.blogspot.com  to our local DNS server which is further passed to the browser.

DNS Structure

It is like a hierarchical structure as shown: 

key-term to understand:

HOSTNAME:  www.securitythread.blogspot.com

FULLY QUALIFIED DOMAIN NAME(FQDN):  www.securitythread.blogspot.com

FQDN= Hostname + Domain name 

www.securitythread.blogspot.com = www+securitythread.blogspot.com

Top-level Domain(TLD)

Generic top-level domain = .org, .com, .edu

Country code top-level Domain = .in, .uk, .usa

DNS structure

DNS QUERY

Query is a name resolution request from the local DNS server to point out the IP address of the given website.

Types: Iterative and Recursive

Iterative: Query which directed towards the DNS server and answered with many intermediate refereed servers.

Recursive: Query sent to a DNS server requires a complete answer there is no other DNS referral server

DNS Server types

Authoritative: Master(primary)

                        Slave(secondary)

Non-Authorative: Our own cache server

The major difference is that the primary server resolves the query with its own database. whereas non-authoritative server doesn't resolve the query with its database, actually refer the query to another DNS server for resolving.

Primary(master) DNS server

It has the main database to perform read/write operation. More than one Primary Server can also be installed for Redundancy & Fault Tolerance. 

Secondary DNS server

This only has a copy of the main primary server database. It Established to balance the load on Server. It has a record taken from the Primary/Master Server in a specified time interval. So the record can only be read.

Whenever the DNS server gives the response to a query the response may be of four type

DNS Answer Types

Negative Answer: - When a website address for which the client is querying is not available (Its IP address doesn’t exist) then this response will come negative.

Authoritative Answer: - The Server has the record of that website in its own Database. Our Local DNS Server will also be called Authoritative Server if it has the website record in its own Database.

Non-Authoritative Answer:- The DNS Server doesn’t have the record of that website in its own Database but it queries other DNS Servers or check in its own DNS Cache & brings the website's record.

Referral Answer: - The DNS Server doesn’t have the record of that website in its own Database but it refers to another DNS Server for that.

DNS records 

I am covering only the important ones

1.  A: Address mapping records give IPv4 address of a website
2. AAAA: Address mapping records give IPv6 address of a website
3. CNAME: Canonical Name record used to resolve alias name of a website like www.securitythread.com and securitythread.com are two canonical names of each other.
4. PTR: Reverse-lookup pointer record work just opposite to A and AAAA record. This helps to map the IP address to the website name
5. SOA: Start of Authority records gives full detail about DNS zone
6. NS: name server records give an authoritative name server for the given host
7. MX: mail exchanger records give mail exchange server detail.

nslookup is a command-line tool that is used for querying the domain name system to obtain domain records.

commands:

nslookup securitythread.com > gives IP address

nslookup 8.8.8.8 > hostname of this IP

nslookup type=ns securitythread.com > gets ns record 

nslookup type=all securitythread.com > gets ns record 

DNS Zone 

A DNS zone is a database that contains resource records of a neighboring DNS namespace. for example, you have a DNS zone called securitythread.com inside the DNS server. where you create records for all networking devices. 

DNS Zone Types 

1. Primary zone: which have the read/write permission on any records
2. Secondary zone: This zone only have the read permission on records
3. Stub zone: store copy of a zone that contains only records used to locate name server
4. Active Directory-integrated zone: In this data is stored in active directory zone rather than in traditional zone field

DNS zone transfer 

Zone transfer is the process of copying the content of the zonal file from a primary DNS server to a secondary DNS server so that there is synchronization of records among primary and secondary. The primary zone server notifies to a secondary server when changes occur in zone database records.

Configuring the zone transfers

1. Active Directory-integrated zone: In this type of DNS system server running on domain controllers can store their zones on active directory domain services because of this multiple masters can be created for DNS replication, therefore, any domain controller inside the running domain can write updates to the AD integrated DNS zones for the domain name. Active Directory-integrated zones store DNS zone data in the active directory database some replication occurs through an active directory of records.               
2. Traditional DNS zone: the transfer take place between primary and secondary zones.

Methods of Zone transfer

1. Full transfer of records: when both primary and secondary server is configured and secondary server responses all coming request from a full copy of the primary DNS server.
2. Incremental zone transfer: when there are any new entries and the primary and secondary server databases are not the same as primary because of new entries, therefore, to make the synchronization among the databases of both the server incremental zone transfer takes place. This requires less bandwidth than a full transfer
3. Active directory transfer: Occur when Active directory integrated zones are replicated to the domain controller in a domain.
4. DNS notify: DNS notify the secondary DNS server when they needed to initiate a zone transfer so that the updates of primary DNS server can be replicated to them

Run Levels In Linux

Before understanding run levels lets understand the booting stages first. The following are the 6 high-level stages of a Linux boot process.

1 BIOS: basic input/output system, Perform some system integrity checks and executes the boot loader program.

2 MBR: Master boot record, loads and executes the Grub boot loader.

3 GRUB: Grand Unified Boot-loader, it loads the default kernel image as specified in the grub configuration file.

4 Kernel: Kernel executes the /sbin/init program.

5 Init: init executes run levels program.

6. Run-level programs: A run levels is a state or level of init process means A run-level can simply be thought of as the state your system enters like if a system is in a single-user mode it will have a run-level 1 while if the system is in a multi-user mode it will have a run level 5.

Linux relies on the run level to determine which services are started and which services are stopped. Run levels are identified by numbers. Run levels are numbered from 0 to 6, with each run level offering different services. Run levels 0, 1, and 6 are standard run levels reserved for special purposes. Run levels 2, 3, and 4 are used for whatever purpose you or your Linux distribution provider decide.

Init scripts

Init (initialization) is the program on Unix and Unix-like systems that spawns all other processes. It runs as a daemon and typically has PID 1.

The /etc/inittab file is used to set the default run level for the system. This is the run level that a system will start up on upon reboot. The applications that are started by init are located in the /etc/rc.d folder. Within this directory, there is a separate folder for each run level, eg rc0.d, rc1.d, and so on.

Example of  /etc/inittab file:  

Image via [https://geek-university.com/linux/runlevels/]

 

Depending on your default init level setting, the system will execute the programs from one of the following directories.

run levels 0 – /etc/rc.d/rc0.d/

run levels 1 – /etc/rc.d/rc1.d/

run levels 2 – /etc/rc.d/rc2.d/

run levels 3 – /etc/rc.d/rc3.d/

run levels 4 – /etc/rc.d/rc4.d/

run levels 5 – /etc/rc.d/rc5.d/

run levels 6 – /etc/rc.d/rc6.d/

Please note that there are also symbolic links available for these directory under /etc directly. So, /etc/rc0.d is linked to /etc/rc.d/rc0.d.

Under the /etc/rc.d/rc*.d/ directories, you would see programs that start with S and K.

Programs start with S are used during startup. S for startup.

Programs start with K are used during shutdown. K for kill.

When init starts, it looks for a line in /etc/inittab that specifies the default run level:

id : 2 : initdefault:

You can ask init to go to a non-default run level at startup by giving the kernel a command-line argument of single or emergency. Kernel command-line arguments can be given via LILO, for example. This allows you to choose the single user mode (run level 1).

While the system is running, the telinit command can change the run level. When the run level is changed, init runs the relevant command from /etc/inittab.

A system can be booted any of several run-levels, each of which is represented by a single-digit integer. Each run-levels designates a different system configuration and allows access to a different combination of processes.

There are differences in the run-levels according to the operating system. Seven run-levels are supported in the standard Linux Kernel. They are

ID	Name	Description
0	Halt	Shuts down the system.
1	Single-user mode	Mode for administrative tasks.[2][b]
2	Multi-user mode	It does not configure network interfaces and does not export network services.[c]
3	Multi-user mode with networking	Starts the system normally.
4	Not used/user-definable	For special purposes.
5	Start the system normally with appropriate display manager (with GUI)	Same as run-level 3 + display manager.
6	Reboot	Reboots the system.

Image via[https://en.wikipedia.org/wiki/Runlevel]

In addition to the standard run levels, users can modify the preset run levels or even create new ones if desired. Run levels 2 and 4 are usually used for user-defined run levels.

The program responsible for altering the run level is init, and it can be called using the telinit command. For example, changing from run level 3 to run level 5, which allows the GUI to be started, can be accomplished by the root (i.e., administrative) user by issuing the following command:    telinit 5

Booting into a different run level can help solve certain problems. For example, if a change made in the X Windows System configuration on a machine that has been set up to boot into a GUI has rendered the system unusable, it is possible to temporarily boot into a console (i.e., all-text mode) run level (i.e., run levels 3 or 1) to repair the error and then reboot into the GUI. The X Window System is a widely used system for managing GUIs on a single computer and on the network of computers.

Likewise, if a machine will not boot due to a damaged configuration file or will not allow logging in because of a corrupted /etc/passwd file (which stores user names and other data about users) or because of a forgotten password, the problem can be solved by first booting into single-user mode (i.e. run level 1).

The chkconfig tool is used in Red Hat-based systems (like CentOS) to control what services are started at which run levels. Running the command chkconfig - - list will display a list of services whether they are enabled or disabled for each run level.

In recent versions of Linux systems such as RHEL 7, the concept of run levels has been replaced with systemd targets.

Systemd 

Inittab is no longer used when using systemd

Systemd- system daemon is a new system that replaces the old “system V init” which gives all booting privileges to init generated process.systemd is developed and designed for better handling of dependencies and multitasking.

Systemd uses target instead of run levels, which supports our machine to keep track of all processes especially the daemon process(background running processes). The main purpose for develop this target based system is to perform parallel processing. All the new and popular Linux distribution such as Centos 7, RHEL 7.0, Fedora, and Arch Linux uses this

Runlevel	Systemd Description
0	poweroff.target
1	rescue.target
2	multi-user.target
3	multi-user.target
4	multi-user.target
5	graphical.target
6	reboot.target

By default, there are 2 main targets

1. Multi-user.taget: Analogous to Runlevel 3

1. Graphical.target: Analogous to run level 5

Inittab
via[https://landoflinux.com/linux_runlevels_systemd.html]

To view current default target run: systemctl -getdefault

And to change the default target:  rm /etc/systemd/system/default.target

Changing run level to 5:

ln -s /lib/systemd/system/runlevel5.target /etc/systemd/system/default.target

Then reboot system to  use runlevel5

SELinux In Linux Server CentOS 7

Security-Enhanced Linux 

 

Security-Enhanced Linux as its name suggests it is security enhancement in Red Hat distribution. As we know in Linux the main benefit is that we can modify the kernel according to our needs and make our own flavor.  So SELinux is a kernel module(Centos) with more security by more security I mean access control security.
Before the introduction of SELinux which works on Mandatory access control(MAC), Discretionary access control was used.
The DAC means the access control is based on the file owner and its permission. The root user has full access control with a DAC system.
If the system is a normal workstation then using the DAC may be a good choice but if it a Red Hat-based Linux server the use of DAC is not a good practice. Giving all access control to one user is not advisable. 
But after the MAC policy introduction by SELinux, there is an administratively prebuilt policy for access means if the DAC policy or its setting changes on the file, directory then SELinux policies are there to prevent the misuse of permission. Of course, SELinux gives flexibility to limit access between users for files, directory, and more. So, now comes the benefits of this hole thing we discussed, suppose you are running a Linux server(centos) with disable SELinux on it. if Your Linux server hosting many webpages and website, if any hacker can gain access through one of the vulnerability on these website vulnerabilities like 
1. Web ports HTTP(80) and https(443)
2. File transfer services FTP or proftpd
3. Through ssh service
4. Vulnerable plugin and theme installed on the website 
 After finding vulnerability first approach hackers is to put the shell inside the web server and gain the reverse shell to get the root access if we use old access policy like DAC then our hole server compromises and it makes easier for the hacker to do his job but with SELinux, there are some changes to protect our server. SELinux isolates the working of processes run by the local user to remove this type of chance of privilege escalation. The policies used by Mandatory access control are prebuilt we can’t change it but can make custom policy according to our needs.
 Configuration files of SELinux 
There are two methods to configure the config file SELinux 
   1. Using GUI: You can access GUI through   
                           system>Administrator>SELinux management
   2. Manually via config file
  You can directly access the config file using any text editor like vim   
 using the location /etc/selinux/config

Command to edit config file 

After the modification in config file we need to reboot the system and after that login to your system and view the cat /var/log/messages if you do not see any error then all is fine and all MAC policy are implemented successfully but if you observer any error then the chances are policy is not implemented successfully.
When SELinux denies an action an Access vector is generated called AVC(access vector cache) which shows its message to /var/log/audit/audit.log and /var/log/messages, for troubleshooting use research to find any recent AVC messages.

Config file of SELinux

There are three basic mode for SELinux
Permissive: SELinux is enabled but the MAC policies that are not enforcing on the system only the warring to the user shows and a log of it displays.
Enforcing: The default mode, strict mode enabling all policies and restrictions on the system.
Disabled:  The default mode which is mainly present on the system, SELinux is off in this mode.
We can view the status of the current running mode of SELinux before editing the config file through “SEStatus” 

SEStatus

Inside the config file, we also see SELINUXTYPE this option is used to set policy type which you want to use the default one is Targeted policy
Targeted:  default one which implements all the MAC policy(most restricted)
Minimum: Only selected processes are protected we have the liberty of modification of some  targeted made policy
Mis: server follows Multi-level security protection to prevent users from obtaining access to information for which they don’t authorize.
SELinux Policy Overview:
In the SELinux policy, there are 700 main topics with approx. 10 lakh permission defined already inside “policy.config file”. It is a very large size life so it is obvious that policy ensures the safety of all services which run inside the system from this. It seems the local administrator cannot make such a huge policy himself for system security to satisfy the security needs.

Status file after enabling SELinux

SELinux policies are developed in such a manner that all applications cover at least one policy or more. The policy is design in such method that all measure which used to enable the service and configure the service is at his highest level if the user or any domain user wants to run the service apart from his scope user must have to change the policy means we can think that lowest policy privileges are given to the local user. SELinux policy is not only to protect user-level thread but also kernel-level thread and its classes.
SELinux supports a variety of access control models among them main focus was on extended type enforcement.

Type_enforcement_model_in_Selinux

 In the type enforcement model, set off operation represented by an object of any class with data types. Permission on each operation and its associated classes are different in fact each object of the different class have different permission on it then it is up to administrator how to manage permission of object of different classes.
The main difference between the old and new policy is set off rules that define the security and access right for process in the system. An SELinux predefined policy for users, group and other for accessing to roles, role access to their domain
SELinux introduced the predefined users, the users we create on the system are linked to one or more SELinux domain the basic roles of users are allowed to users plus one advantage is that process which is running by the local user are mapped to the predefined policy or we can say role allowed to the user. The definition of role in SELinux policy defines which users have access right to what role.
Sometimes, the pre-built policy makes hard for administrator and local users to use the system and resolve an issue regarding policy therefore the only remaining option is to choose permissive SELinux mode.